Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-17-richard.henderson@linaro.org Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-16-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-14-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Prepare to perform access checks for direct and
indirect uses of FPMR.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-13-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
FPMR is cleared when entering or exiting Streaming Mode.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-12-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-11-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-10-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Introduce the special register FPMR and its fields.
Migrate it when present.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-9-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-8-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-7-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-6-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260522220306.235200-5-richard.henderson@linaro.org
[PMM: add comments for TRANS_ macros] Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Since there is no bfloat16 variant of FAMINMAX,
check for missing function pointer in do_z2z_nn_fpst.
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-4-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Signed-off-by: Richard Henderson <richard.henderson@linaro.org> Reviewed-by: Peter Maydell <peter.maydell@linaro.org>
Message-id: 20260522220306.235200-3-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Reviewed-by: Peter Maydell <peter.maydell@linaro.org> Signed-off-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260522220306.235200-2-richard.henderson@linaro.org Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
Peter Maydell [Thu, 21 May 2026 12:29:13 +0000 (13:29 +0100)]
target/arm: Set correct fp flags for FLOGB when FPCR.AH = 1
Our implementation of the FLOGB insn does the operations entirely
in the helper function, without needing to use fpu functions.
This means it needs to handle all the fp status flags itself.
We aren't setting float_flag_input_denormal_used when we
use (i.e. do not flush to zero) an input denormal, which means
that FPCR.IDC isn't set when it should be for FPCR.AH=1.
We missed this when we added float_flag_input_denormal_used
and made the fpu/ code set it.
Add the missing float_raise().
Cc: qemu-stable@nongnu.org Fixes: d38a57a3f ("target/arm: Enable FEAT_AFP for '-cpu max'") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260521122913.1565011-4-peter.maydell@linaro.org
Peter Maydell [Thu, 21 May 2026 12:29:12 +0000 (13:29 +0100)]
target/arm: Use FPST_A64_F16 for SVE FCVTLT_hs
We should be using the F16-specific float_status for conversions from
half-precision, because halfprec inputs never set Input Denormal. If
we use the FPST_A64 fpstatus then we will incorrectly set FPCR.IDC
for input-denormals when FPCR.AH=1.
In commit e07b48995aaa we updated most of the halfprec-to-other
conversion insns to use FPST_A64_F16 as part of implementing
FEAT_AHP. However we missed the SVE FCVTLT instruction, which has a
halfprec-to-single encoding.
Correct the FPST we use for the hs variant of FCVTLT.
Cc: qemu-stable@nongnu.org Fixes: e07b48995aaa ("target/arm: Use FPST_A64_F16 for halfprec-to-other conversions")a Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260521122913.1565011-3-peter.maydell@linaro.org
Peter Maydell [Thu, 21 May 2026 12:29:11 +0000 (13:29 +0100)]
target/arm: SVE2 FMAXP, FMINP must honour AH=1
The behaviour of floating-point maximum and minimum insns has
some odd special cases when FPCR.AH=1. We get this right in most
places (for instance, the ASIMD FMAXP, FMINP) but forgot about
it for the SVE2 versions of FMAXP and FMINP.
Cc: qemu-stable@nongnu.org Fixes: 384433e70983 ("target/arm: Implement FPCR.AH semantics for FMINP and FMAXP") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Alex Bennée <alex.bennee@linaro.org>
Message-id: 20260521122913.1565011-2-peter.maydell@linaro.org
Peter Maydell [Mon, 18 May 2026 16:04:40 +0000 (17:04 +0100)]
tests/functional/aarch64: Bump up timeout on vbsa
On a debug build, the virt_vbsa functional test takes about 2 minutes to
run on my machine, so it tends to time out. Bump the timeout to 4 mins.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Thomas Huth <thuth@redhat.com>
Message-id: 20260518160440.1037245-1-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:41 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr return value
This completes the conversion of this family of functions to
returning true on success and false on failure.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-15-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:40 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_for_at return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-14-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:39 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of arm_cpu_get_phys_addr return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-13-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:38 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_gpc return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-12-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:37 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_nogpc return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-11-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:36 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_twostage return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-10-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:35 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of pmsav8_mpu_lookup return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-9-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:34 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_pmsav8 return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-8-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:33 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_pmsav7 return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-7-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:32 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_psmav5 return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-6-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:31 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_v5 return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-5-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:30 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_v6 return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-4-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:29 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_lpae return value
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-3-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 14:25:28 +0000 (15:25 +0100)]
target/arm/ptw: Flip sense of get_phys_addr_disabled return value
We want to bring all the get_phys_addr* functions in ptw.c into line
with the sense that translate_for_debug() has and which seems more
logical: true on success, and false on failure.
Start with get_phys_addr_disabled().
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515142541.571911-2-peter.maydell@linaro.org
Peter Maydell [Fri, 15 May 2026 13:12:45 +0000 (14:12 +0100)]
target/arm: Set debug in attrs in translate_for_debug()
The translate_for_debug method is supposed to return attributes
that include the debug flag being set. We forgot this when
implementing the method for Arm.
Fixes: abefca8e7f957 ("target/arm: Implement translate_for_debug") Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260515131245.366240-1-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:14 +0000 (21:34 +0100)]
hw/dma/omap_dma: Drop model argument to omap_dma_init()
The model argument to omap_dma_init() is always omap_dma_3_1, and all
we do with it now is assert this; drop the argument and the enum.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-13-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:12 +0000 (21:34 +0100)]
hw/dma/omap_dma: Remove 3.1 mapping handling
Now we have no 3.2 DMA support, the omap_dma_enable_3_1_mapping()
function is called at reset, and there is no longer anywhere that
disables it. Remove the function and the unused
omap_3_1_mapping_disabled struct field, and drop the indirection from
omap_dma_interrupts_update() through the intr_update function pointer
to omap_dma_interrupts_3_1_update(), instead inlining that last
function into omap_dma_interrupts_update().
The only other thing omap_dma_enable_3_1_mapping() was doing was
setting s->chans; since this is now never changed at runtime we can
move its setting into the init function rather than reset.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-11-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:11 +0000 (21:34 +0100)]
hw/dma/omap_dma: Remove omap_3_1_compatible_disable flag
The OMAP DMA device has an omap_3_1_compatible_disable flag in its
channel struct, which the 3.2 version of the DMA block used to tell
whether it should behave compatibly with 3.1 or not. Now we have no
3.2 support, the omap_3_1_compatible_disable flag is set to false and
can't be changed, so we can remove it, folding out all the conditions
where we were testing it as always-false.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-10-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:10 +0000 (21:34 +0100)]
hw/dma/omap_dma: Fold omap_dma_sys_read() and omap_dma_sys_write() into callers
Now we have removed the DMA 3.2 support, we call omap_dma_sys_read()
only for the single address offset 0x400, and similarly for
omap_dma_sys_write(). The other cases in those functions are DMA
3.2-only and now dead code. Fold the 0x400 register directly into
the callers, and remove the rest.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-9-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:09 +0000 (21:34 +0100)]
hw/dma/omap_dma: Remove support for dma_3_0 and dma_3_2
The omap_dma device has support for modelling different variants
of the DMA block, as enumerated by the omap_dma_model enum:
3_0, 3_1 and 3_2. However, our one remaining OMAP SoC always
passes omap_dma_3_1 into the omap_dma_init() function, so the
handling for 3_0 and 3_2 is never used.
Remove the support for the other versions; this lets us
delete entirely two large functions that were specific
to 3.2 DMA to the LCD controller, and all their associated
fields in the omap_dma_lcd_channel_s struct.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-8-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:08 +0000 (21:34 +0100)]
hw/arm/omap: Remove unused wakeup irq
The OMAP code creates a qemu_irq whose set function is
omap_mpu_wakeup(), and passes that irq into omap_mpuio_init(), which
saves it in its omap_mpuio_s::wakeup field. However nothing ever
touches that qemu_irq again, so omap_mpu_wakeup() is never called.
Remove all this as dead code. This lets us remove a direct call to
cpu_interrupt(cpu, CPU_INTERRUPT_EXITTB) from within board/SoC code,
which is pretty ugly and might not even do the right thing these
days.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-7-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:07 +0000 (21:34 +0100)]
hw/arm/omap: Delete unused #defines
Delete some #defines which we no longer use because they are
for OMAP SoCs which we dropped support for.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-6-peter.maydell@linaro.org
For the one remaining OMAP board, we use only the first 6 entries
in the omap1_dma_irq_map[] array; the rest were for OMAP1610.
Delete the now-unused elements.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-5-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:05 +0000 (21:34 +0100)]
hw/arm/omap: Remove stray unused prototype
When we removed the support for most of the OMAP SoCs, we missed
deleting a function prototype that was for a function defined in
removed code. Delete it now.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-4-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:04 +0000 (21:34 +0100)]
hw/arm/omap: Remove unused omap_mpuio functions
The omap1.c file includes some functions which used to be used by the
other OMAP SoC variants which we removed a while ago, but which we
missed when doing that removal. They have no callers, so we can
delete them.
This code was the last user of hw_error() in this file, so we
can also remove the hw-error.h include.
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-3-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 20:34:03 +0000 (21:34 +0100)]
hw/arm/omap: Remove omap_mpu_model remnants
The omap1.c code has handling for an mpu_model field which is
an enum of which OMAP SoC model it is. We removed most of our
OMAP support some time ago, and now the only OMAP SoC we
implement is the OMAP310, which sets s->mpu_model = omap310
in omap310_mpu_init().
That makes all the handling for other settings of mpu_model dead
code; remove them. This includes the omap GPIO device's mpu_model
property which we set but which the device makes no use of, and the
omap-id-e20 memory region (because the OMAP310 satisfies
cpu_is_omap15xx(), so never executed the old if() block).
Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Philippe Mathieu-Daudé <philmd@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512203414.3633237-2-peter.maydell@linaro.org
Peter Maydell [Tue, 12 May 2026 13:47:50 +0000 (14:47 +0100)]
hw/timer/mss_timer: Remove dead code in timer_write()
In timer_write(), we switch() on the address offset to handle
registers that need special-casing, with a default case that handles
both "unsupported (64-bit mode) register" and "can just write value
to st->regs[]". However, as Coverity points out, every register is
covered by the special-casing, so the "write to st->regs[]" code path
is dead. (timer_read() has a similar structure but there several
registers do go through the default code path.)
Replace the dead code with an assertion.
CID: 1613905 Signed-off-by: Peter Maydell <peter.maydell@linaro.org> Reviewed-by: Richard Henderson <richard.henderson@linaro.org>
Message-id: 20260512134750.3543639-1-peter.maydell@linaro.org
queues may be set to 1, as well as fds may contain only one fd.
No reason to block such cases. Let's check exactly number of queues.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
net/tap: net_init_tap(): merge fd=, fds= and helper= cases into one
Now fd= and helper= cases are just a duplication of fds= case with
queues=1. Let's merge them all.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
There is a bug in the interface: we don't allow vhostfds argument
together with queues. But we allow vhostfd, and try use it for all
queues of multiqueue TAP.
Let's relax the restriction. We already check that number of vhost fds
match queues (or number of fds). So, no matter do vhost fds come from
vhostfds or vhostfd argument. Let's use correct vhost fds for multiqueue
TAP.
To achieve this we move vhost fds parsing to separate function and call
it earlier in net_init_tap(). Then we have vhost fds available (and
already checked) for all further cases.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
net/tap: move fds parameters handling to separate functions
This significantly simplify the code in net_init_tap().
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Add common net_parse_fds() and net_free_fds() helpers and use them
in tap.c and af-xdp.c.
Choose returning queues instead of fds, because we'll have derived
helper in net/tap, which will be able to return fds=NULL and non-zero
queues on success. That's also why we move to INT_MAX for queues, to
support negative return value for net_parse_fds() (for failure paths).
Note that redundant restriction of MAX_TAP_QUEUES is dropped for tap.c
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
It could be simply derived from tap parameter. And this change
simplifies further refactoring.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
net/tap: net_init_tap_one() refactor to get vhostfd param
Get vhostfd instead of vhostfdname:
- more symmetry with fd param
- prepare to further changes
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
- simplifies failure paths in the function
- get rid of unusual free_fail: in the middle of the function
- simplify further refactoring
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Move checks to the top of the function to simplify further
refactoring. Merge duplicated checks.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
net/tap: net_init_tap(): drop extra vhostfdname variable
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Follow common recommendations in include/qapi/error.h of having
a return value together with errp. This allows to avoid error propagation.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
In for-loop in net_init_af_xdp, we do nc->queue_index = i,
where is is int64_t for 0 to queues-1, and nc->queue_index is
unsigned int.
Also in parse_socket_fds, g_strv_length() returns guint which
is equivalent to unsigned int.
Let's simply use int type for queues, and update the check
appropriately. It could be unsigned int, but in future commits
we'll share with net/tap.c the common function which will return
number of queues or negative error. So, let's simply use int for
queues-related variables, that simplifies things.
Signed-off-by: Vladimir Sementsov-Ogievskiy <vsementsov@yandex-team.ru> Reviewed-by: Ben Chaney <bchaney@akamai.com> Signed-off-by: Jason Wang <jasowang@redhat.com>
Jamin Lin [Mon, 25 May 2026 05:30:49 +0000 (05:30 +0000)]
docs/system/arm/aspeed: Add AST1040 Bridge IC evaluation board
Update the Aspeed AST10x0 documentation to include the
AST1040 evaluation board and clarify the AST10x0 family
classification.
The documentation now describes:
- AST1030 and AST1040 as Bridge IC devices
- AST1060 as a Platform Root of Trust processor
- AST1040 Cortex-M4F CPU frequency running at 400 MHz
Also add the ast1040-evb machine entry to the supported
AST10x0 SoC based machine list.
Jamin Lin [Mon, 25 May 2026 05:30:46 +0000 (05:30 +0000)]
hw/arm/aspeed: Add AST1040 EVB machine model
AST1040 is the next-generation device following AST1030 and is
primarily designed as a bridge/BIC controller platform. Introduce
a dedicated AST1040 EVB machine implementation for firmware
development and validation.
Although the existing ast10x0 EVB machine code already provides
a reusable minibmc initialization flow, AST1040 requires
different platform settings, including:
- Different SYSCLK frequency
- Different internal flash size
To avoid overloading the existing AST1030-specific helper,
introduce a separate aspeed_bic_machine_init() implementation in
a dedicated source file.
Jamin Lin [Mon, 25 May 2026 05:30:45 +0000 (05:30 +0000)]
hw/arm/aspeed: Introduce AST1040 A0 SoC model
The AST1040 is based on an ARM Cortex-M4F CPU core. Since QEMU
currently does not provide Cortex-M4F support, use the existing
Cortex-M4 CPU model as a temporary replacement.
This initial implementation provides the basic infrastructure
required to boot firmware and run a minimal firmware shell,
including:
- ARM Cortex-M4 CPU integration
- NVIC interrupt controller support
- Internal HyperRAM and SRAM memory regions
- SCU integration
- UART devices and interrupt wiring
AST1040 SCU behavior is compatible with the AST2700 SCUIO model,
so reuse the existing AST2700 SCUIO implementation directly
instead of introducing another identical SCU model. This reduces
duplicate code and helps minimize long-term codebase maintenance.
Several peripherals are currently modeled as unimplemented
devices and can be added incrementally in future updates.
Jamin Lin [Mon, 25 May 2026 05:30:43 +0000 (05:30 +0000)]
hw/arm/aspeed: Consolidate secure SRAM into SRAM array
Some Aspeed SoCs contain multiple SRAM regions with different
sizes and MMIO mappings, such as internal SRAM and secure SRAM.
The current implementation models secure SRAM separately from the
generic SRAM representation, which complicates future multi-SRAM
support and expansion.
Increase ASPEED_SRAM_NUM to 2 and migrate secure SRAM to use the
common SRAM array representation. Rename the secure SRAM memmap
entry to ASPEED_DEV_SRAM1 and update AST10x0 to initialize both
SRAM regions through sram[] and sram_size[].
This unifies SRAM-like regions under a common representation and
prepares for future SoCs with additional SRAM regions.
Jamin Lin [Mon, 25 May 2026 05:30:42 +0000 (05:30 +0000)]
hw/arm/aspeed: Rename SRAM memmap entry for multi-SRAM support
Some Aspeed SoCs contain multiple SRAM regions with different
MMIO mappings, such as internal SRAM and secure SRAM.
Prepare for future multi-SRAM support by renaming the SRAM
memmap entry from ASPEED_DEV_SRAM to ASPEED_DEV_SRAM0.
This makes the numbering explicit and aligns with the
array-based SRAM representation introduced previously.
Jamin Lin [Mon, 25 May 2026 05:30:40 +0000 (05:30 +0000)]
hw/arm/aspeed: Convert SRAM size definition to array type
Prepare the Aspeed SoC model for future platforms that may contain
multiple SRAM regions with different sizes and MMIO mappings.
The current implementation stores SRAM size information in a single
sram_size field, which limits extensibility when additional SRAM
instances are introduced.
Convert sram_size into an array-based definition and update all
existing users to reference sram_size[0]. This aligns with the
previous SRAM MemoryRegion array conversion and provides a scalable
foundation for supporting multiple SRAM regions in future SoCs.
Jamin Lin [Mon, 25 May 2026 05:30:39 +0000 (05:30 +0000)]
hw/arm/aspeed: Convert SRAM MemoryRegion to array type
Several kinds of RAM are supported across Aspeed SoCs, including
SRAM, SDRAM, HyperRAM, secure SRAM, and generic SRAM. In addition,
different SoCs may expose multiple SRAM regions at different MMIO
addresses.
The current implementation models SRAM with a single MemoryRegion
instance, which makes future expansion cumbersome when additional
SRAM types or regions are introduced.
Prepare for future SoC designs by converting the SRAM MemoryRegion
from a single object into an array-based structure. This change
introduces ASPEED_SRAM_NUM and converts existing SRAM users to
reference sram[0].
Stefan Hajnoczi [Mon, 25 May 2026 17:57:57 +0000 (13:57 -0400)]
Merge tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa into staging
linux-user updates from Matt Turner
Various linux-user updates and fixes from Matt Turner regarding VDSO and
coredump support for hppa, mips, mips64, riscv and sh4.
# -----BEGIN PGP SIGNATURE-----
#
# iHUEABYKAB0WIQS86RI+GtKfB8BJu973ErUQojoPXwUCahL6kgAKCRD3ErUQojoP
# XwwSAP9a27pKepFjViB3WFe7/CC29m7aVE3EZeyEbEyZnpoPAgD/T+wca+TRdhHm
# 6TCaG3eNOUnWL4UvCOU8Vhdk1BXMAQ0=
# =n+8n
# -----END PGP SIGNATURE-----
# gpg: Signature made Sun 24 May 2026 09:18:10 EDT
# gpg: using EDDSA key BCE9123E1AD29F07C049BBDEF712B510A23A0F5F
# gpg: Good signature from "Helge Deller <deller@gmx.de>" [unknown]
# gpg: aka "Helge Deller <deller@kernel.org>" [unknown]
# gpg: aka "Helge Deller <deller@debian.org>" [unknown]
# gpg: WARNING: This key is not certified with a trusted signature!
# gpg: There is no indication that the signature belongs to the owner.
# Primary key fingerprint: 4544 8228 2CD9 10DB EF3D 25F8 3E5F 3D04 A7A2 4603
# Subkey fingerprint: BCE9 123E 1AD2 9F07 C049 BBDE F712 B510 A23A 0F5F
* tag 'linux-user-next-pull-request' of https://github.com/hdeller/qemu-hppa:
linux-user/sh4: add VDSO support for sh4 and sh4eb
linux-user/riscv: add coredump support
linux-user/mips: use tswap32 in elf_core_copy_regs
linux-user/mips64: fix mipsn32 elf_core_copy_regs entry width
linux-user/mips64: fix elf_core_copy_regs register layout in core files
linux-user/hppa: add coredump support
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
* tag 'pull-ppc-for-11.1-0523-20260523' of https://gitlab.com/harshpb/qemu:
ppc/spapr: Make Power11 as default cpu for pseries
ppc/pnv: Make PowerNV11 as the default powernv machine
target/ppc/kvm: Fix const violation when trimming CPU alias suffix
ppc/pnv: Fix uninitialized MpiplProcDumpArea struct
ppc/spapr: Skip system reset for quiesced CPUs
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
qemu_laio_process_completions() wraps its body in defer_call_begin /
defer_call_end. Inside the section, completion callbacks wake coroutines
that queue new aiocbs; laio_do_submit() defers laio_deferred_fn. At the
bottom of qemu_laio_process_completions() the defer_call_end() fires
laio_deferred_fn, which calls ioq_submit(), closing the cycle:
When io_submit(2) returns asynchronously (O_DIRECT) the cycle
terminates in one extra frame: the fresh aiocb is still in flight, no
completion is drained, no coroutine wakes, no new submission queues.
When submissions complete synchronously (non-O_DIRECT, or per-descriptor
drivers such as vmdk) each level enqueues more work for the next
defer_call_end() to drain, so recursion grows without bound and QEMU
crashes with SIGSEGV on the thread guard page.
The cycle was closed by two performance commits, each correct in
isolation:
076682885d ("block/linux-aio: convert to blk_io_plug_call() API")
-- introduced laio_deferred_fn and wired
laio_do_submit -> defer_call(laio_deferred_fn, s).
84d61e5f36 ("virtio: use defer_call() in virtio_irqfd_notify()")
-- added defer_call_begin/end around qemu_laio_process_completions
so virtio-irqfd notifications batch across a completion pass.
The supported aio=native + cache=none pairing keeps submissions
asynchronous, so the cycle stays bounded; nothing in the code enforces
that contract. Observed in production as a SIGSEGV during a backup job
configured with --cached + aio=native; reproducible on upstream with
qemu-io against vmdk.
Cap ioq_submit() recursion with a counter on LaioQueue, which is only
accessed from the AioContext home thread. On overflow, return without
submitting. The pending work is drained by s->completion_bh, which
qemu_laio_process_completions() has already scheduled on entry -- no
work is lost; one event-loop round-trip of latency is paid only when
the bound is hit, which cannot happen on a supported configuration.
Signed-off-by: Denis V. Lunev <den@openvz.org> CC: Kevin Wolf <kwolf@redhat.com> CC: Hanna Reitz <hreitz@redhat.com> CC: Stefan Hajnoczi <stefanha@redhat.com> CC: Paolo Bonzini <pbonzini@redhat.com>
Message-ID: <20260520142503.251959-2-den@openvz.org> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Jinjie Ruan [Wed, 14 Jan 2026 01:32:57 +0000 (09:32 +0800)]
mc146818rtc: Fix get_guest_rtc_ns() overflow bug
In get_guest_rtc_ns(), "s->base_rtc" is uint64_t, which multiplied by
"NANOSECONDS_PER_SECOND" may overflow the uint64_t type, which will
cause the QEMU Linux Virtual Machine's RTC time to jump and in turn
triggers a kernel Soft Lockup and ultimately leads to a crash.
Fix it by avoiding adding s->base_rtc in get_guest_rtc_ns_offset(),
because get_guest_rtc_ns() is used either take the remainder of
NANOSECONDS_PER_SECOND or take the quotient of NANOSECONDS_PER_SECOND.
Magnus Kulke [Tue, 21 Apr 2026 05:21:54 +0000 (05:21 +0000)]
accel/mshv: implement cpu_thread_is_idle() hook
In MSHV the hypervisor APIC is always used, so we to implement this hook
to make sure the AP's vcpu thread is not blocked waiting for an INIT SIPI
by the BSP. Without this change soft reboots with -smp cpus>=2 will
hang.
Paolo Bonzini [Fri, 15 May 2026 10:10:22 +0000 (12:10 +0200)]
apic: fix delivery bitmask with modified xAPIC ids
Self-IPIs (or all-but-self IPIs) in QEMU can cause a out-of-bounds access
to deliver_bitmask, because the access uses the APIC ID register which
is writable by the guest. However, foreach_apic uses the delivery
bitmask indexes to look up the local_apics[] array, which is indexed
by *initial* APIC id. Using the right id fixes both a possible heap
write overflow if the modified APIC id is too large for max_apic_words,
and a mis-delivery of both self and all-but-self IPIs.
Reported-by: Wei Che Kao <skps96g313.cs10@gmail.com> Cc: qemu-stable@nongnu.org Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
projects / thirdparty / qemu.git / log
